1 minute to read

PCI DSS 2025: What online merchants need to do now to stay compliant

PCI DSS 2025: What online merchants need to do now to stay compliant

New PCI DSS requirements for merchants – what’s changing and how Shopware simplifies compliance

Starting April 2025, new requirements from the PCI DSS (Payment Card Industry Data Security Standard) will come into effect. For many merchants, this adds another layer of complexity. In this article, we’ll show you what to expect – and how Shopware helps simplify the process so you can stay focused on growing your business.

Who is affected?

If you run an online shop and accept credit card payments, either directly or indirectly (via payment providers like PayPal or Stripe), you will likely be affected.

Payment service providers and acquiring banks often require merchants to meet PCI DSS standards to minimize their own risk.

It’s not just a contractual formality: Security breaches or misuse of payment data can lead to severe penalties and reputational damage.

What is PCI DSS?

PCI DSS is a global security standard created by the credit card industry to protect sensitive payment information. It outlines specific measures covering:

  • Network security

  • Maintenance and vulnerability management

  • Access control and monitoring

  • Technical and organizational safeguards

The implementation depends on factors like your payment provider, shop setup, and transaction volume. In many cases, a self-assessment (SAQ) is sufficient, but sometimes you’ll need regular security scans or audits by a Qualified Security Assessor (QSA).

What’s new?

As of October 2024, PCI DSS version 4.0.1 is in effect. From April 2025 onward, all recertifications must comply with this latest version.

Important for merchants using external payment providers: The relevant self-assessment questionnaire (SAQ-A) was revised in January 2025. Several controls were removed – however, you remain responsible for formally confirming that no sensitive payment data can be accessed.

Also, a quarterly security scan by an Approved Scanning Vendor (ASV) remains mandatory.

What does this mean for Shopware merchants?

With Shopware, you have a strong, secure foundation to meet PCI DSS requirements – especially if you work with PCI-certified payment providers.

Our platform is designed to keep sensitive payment data out of your shop’s environment – reducing your PCI compliance efforts. Thanks to external payment integrations and Shopware’s flexible API architecture, sensitive payment processes remain clearly separated.

Additionally, we’re actively working to further simplify compliance processes. We're currently evaluating partnerships and services to offer even more support and security to our merchants.

Key actions for Shopware merchants:

  • Review your contractual obligations with payment service providers and acquiring banks.

  • Keep your Shopware installation, extensions, and plugins updated.

  • Use strong passwords and review access restrictions regularly.

  • Ensure you’re filling out the SAQ-A correctly and consult a Qualified Security Assessor (QSA) if needed.

Conclusion

Data security isn’t optional – it’s essential for the success of your online shop. Credit card payments and seamless digital shopping experiences go hand in hand, as does the responsibility to safeguard payment information.

With Shopware, you’re in a strong position to meet PCI DSS standards – thanks to the integration of secure payment providers and our modern, flexible platform architecture.

We’re also continuously working to offer additional compliance services and support, so you can focus on what matters most: growing your business.

Stay informed:

PCI DSS for online shops – Frequently Asked Questions

Wondering how PCI DSS affects your online store? Here are some common questions merchants ask about PCI DSS compliance – and how Shopware supports you.

Is PCI DSS only relevant for certain countries?

No, PCI DSS (Payment Card Industry Data Security Standard) is a global security standard. It applies worldwide to all merchants who accept credit card payments, regardless of their country. Typically, payment service providers or acquiring banks require their merchants to comply with PCI DSS to minimize security risks.

As a Shopware merchant, am I required to comply with PCI DSS?

Whether PCI DSS compliance is mandatory depends on your agreements with payment service providers. If you use external PCI-certified payment providers, your effort is significantly reduced. Shopware itself does not store sensitive credit card data and provides a secure and flexible foundation to support compliance with PCI DSS requirements.

What happens if I don't comply with PCI DSS?

Non-compliance with PCI DSS can result in penalties from payment providers, termination of business relationships, or financial losses. It may also damage customer trust. Therefore, it’s essential to take these requirements seriously and review them regularly.


Lukas Tepner